Skillv2.4.1

ClawScan security

分贝通旅行 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 7:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its travel/booking purpose, but there are several implementation choices and documentation claims that don't line up (PII handling, hard-coded token, and use of shell execution) that warrant caution before installing.
Guidance: This skill appears to implement the travel functionality it advertises, but review these points before installing or using it with real accounts: - PII persistence and logging: The code writes auth tokens (~/.fbt-auth.json / ~/.fbt_auth.json) and price caches (~/.fbt_price_cache.json) to your home directory and prints passenger name/phone/ID to stdout in some scripts. This contradicts the SKILL.md statement that passenger info is not logged. If you care about privacy, inspect file locations and file permissions and consider running in an isolated environment. - Hard-coded token: hotel_api.py contains a DEFAULT_ACCESS_TOKEN constant. Treat hard-coded secrets as risky — confirm whether it's a harmless test token and rotate or remove it if you plan to use a real account. - Shell execution risk: travel_api.py uses os.system with joined arguments. If untrusted input can reach those commands, shell injection is possible. Prefer subprocess with argument lists or sanitize inputs. - Network endpoints: the code talks to app-gate.fenbeitong.com (matches the vendor name). If you do not trust the source, do not allow the skill network access or run it behind network monitoring. - Mitigations: run the skill in a sandboxed environment or container, inspect and remove hard-coded secrets, set strict file permissions on created files, and review/modify code to avoid os.system and to avoid printing PII. If you cannot audit the code, treat it as untrusted and avoid supplying real passenger credentials or corporate accounts.

Review Dimensions

Purpose & Capability: okName/description, declared binary requirement (python3), and network endpoints (app-gate.fenbeitong.com) align with a Fenbeitong enterprise travel integration. Declared auth files (~/.fbt_auth.json, ~/.fbt-auth.json) are consistent with the described per-system authentication.
Instruction Scope: concernSKILL.md instructs the agent to perform silent background auth checks and strict output formatting; that is consistent. However the documentation states '乘客信息仅在预订时发送，不记录在日志', while code prints passenger name/phone/ID to stdout (e.g., flight_order.py) and persists auth tokens and price cache to files in the user's home (~/.fbt-auth.json, ~/.fbt_price_cache.json). This contradicts the 'no logging' claim and means PII/credentials may be stored on disk and appear in logs. The SKILL.md also directs running scripts with user-derived arguments; the runtime code uses os.system to invoke scripts with joined args (travel_api.py), which can be vulnerable to shell injection if inputs are not sanitized.
Install Mechanism: okInstruction-only skill with a requirements.txt (requests). No external downloads or install scripts. The code bundle is provided; nothing is fetched from unknown URLs during install.
Credentials: noteNo environment variables or unrelated credentials are requested. The skill stores auth tokens and caches under the user's home directory (expected for this purpose), but a hard-coded DEFAULT_ACCESS_TOKEN value exists in hotel_api.py (fbsk-2db251f6c8d74ce69ae3dcb82ed1055b). Hard-coded tokens in code can be a security concern (may grant access without user authentication). The code persists mobile numbers in auth files, which is PII — acceptable for a booking tool but should be clearly documented and protected.
Persistence & Privilege: concernThe skill is not always-enabled and uses local persistent files (auth token, price cache, temp seat files) under the user home. That behavior is expected, but combined with printed PII and a default token it increases persistence of sensitive data. Autonomous invocation is allowed by default (not flagged by itself), which increases blast radius if the skill is later abused.